Enforcing Secure Passwords in Horde

A coworker, Alex, discovered that Horde, in conjunction with Plesk, allows users to change their passwords arbitrarily — but doesn’t enforce any sort of password policy, allowing such passwords as “test” or even “” (null). This, obviously, is a huge security risk as mail compromises can lead to fairly terrible things.

If you (or a client you are representing) want to set horde to do the typical “strict password” enforcement, look for the file:

horde/passwd/backends.php

And read the bit about password policy. An example policy that can be set in this file that would require 1 capital, 1 lowercase, 1 special character and 1 number, with a minimum password size of 8, would look like: